Hacked Kaspersky Download Site Directs Users to Fake Antivirus

Kaspersky Lab now admits that people attempting to buy Kaspersky's security products on Oct. 17 were redirected by hackers to a scareware site with links to fake antivirus software called Security Tool.

Hackers
have caused serious embarrassment for a major security technology company.
Kaspersky Lab's Website was hacked over the weekend, sending customers looking
for security software to an external download page pushing counterfeit
software.
When
users tried to download software from Kaspersky on Oct. 17, they were
redirected to a malware site that tricked users into downloading fake antivirus
software called Security Tool. Once executed, Security Tool displays pop-ups
reporting a number of vulnerabilities and threats "found" to scare
users into buying what it says is a full version in order to fix these
problems.

Users
posted about the attack on various online forums, but said Kaspersky denied any
kind of a breach had happened, even after a post from someone thought to be a
Kaspersky Japan employee said the issue was fixed.

The
company finally admitted to IT Pro on Oct. 19 that it had been hacked, saying the
redirection to the scareware site had lasted only 3.5 hours on Oct. 17. When
the company was notified, it took the affected server offline within 10
minutes, Kaspersky told IT Pro.
"Currently
the server is secure and fully back online, and Kaspersky products are
available for download," the company said to IT Pro.
Affected
Kaspersky users posted about the hacked site on three different forums:
security-oriented Calendar of Updates, Yahoo Answers and Kaspersky's own
Kaspersky Lab forum. Kaspersky either didn't respond to queries, or denied
there was a problem on the site.
On
the Kaspersky Labs forum, a user called to report the breach but said Kaspersky
blamed the victim, suggesting the user must have clicked on a phishing link or
mistyped the URL and landed on a fake site. When the user pointed out the
redirect still happened when clicking on the download link in an order
confirmation e-mail from seven months ago, the company said, "That e-mail
was probably a fake e-mail."
The
poster complained, "Now, Kaspersky didn't want to help my father and
wanted money to help him clean up the infection they caused."
Kaspersky
is staying quiet on the details of how the hackers got control, but said it was
a bug in a "third-party application used for site admin" on the
Kasperskyusa.com Website, according to Trend Micro's CounterMeasures security
blog.
Fake
antivirus software is commonly spread
via phishing scams and pages created specifically to appear high in search
results. However, "this compromise of a legitimate download site,
particularly a security vendor, could represent an important new change of
tactics by the scareware pushers," Rik Ferguson wrote on CounterMeasures
Oct. 19.
Users
were more angry about Kaspersky's silence and refusal to admit to a problem
than the hack itself. While they'd recognized the scareware tactic immediately,
less security-savvy users could have been duped and installed the software.
Kaspersky's silence provided those users with no guidance as to what to do
next.
On
the Calendar of Updates forum, a concerned user wrote, "Not sure what more
I could do. I would like a bit of transparency, but I guess that no security
company will come out and admit that their own Website got hacked."
"Security
vendors have often been the target
of both malicious and mischievous hackers and, without fail, honesty and
transparency have always been the best policy in the aftermath of such an
event," wrote Ferguson.
This
is not
Kaspersky's first breach. In early 2009, an update to Kaspersky's support
site created a security hole in the database that exposed customer e-mail
addresses and product activation codes via a SQL injection attack. The hacker
informed Kaspersky, who immediately fixed the bug.
Various
Kaspersky international sites have been defaced at least 36 times since 2000,
according to ZDNet's Zero Day security blog.
No user information was compromised in Sunday's attack, Kaspersky
said.